Strict Standards: Declaration of Walker_Comment::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::start_el() should be compatible with Walker::start_el(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Strict Standards: Declaration of Walker_Comment::end_el() should be compatible with Walker::end_el(&$output) in /home/drkaos/kaos.to/blog/wp-includes/comment-template.php on line 0

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/drkaos/kaos.to/blog/wp-includes/comment-template.php:0) in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/drkaos/kaos.to/blog/wp-includes/comment-template.php:0) in /home/drkaos/kaos.to/blog/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

Saw an interesting submission by Chuck Talk at RootPrompt the other day about DenyHosts, a tool to prevent repeated attacks against public SSH services running on your servers.

Apparently someone had plenty of time to try to login, and was not deterred by repeated login failure. That set me on a course to find a solution that was simple, effective and enough of a barrier to the attacker that they would move on out of frustration, or simply be denied enough that they would find easier targets.

That search led me to find DenyHosts, a simple and elegant solution that works with a minimal configuration effort and is small, quick and clean. The ease of installation and operation make this an effective solution to annoying SSH attackers, and one that you should consider if you are using SSH services.

DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is valid (eg. has a system account) or invalid (eg. does not have a system account).

When DenyHosts determines that a given host has attempted a configurable number of attempts (this is known as the deny_threshold), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.

Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.